編號型 ACL (1~99)
=========================================
只針對Source Address做回應
ex:
r1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
r1(config)#interface fa 0/0
r1(config-if)#ip access-group 1 in
=========================================
只針對Source Address做回應
ex:
r1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
r1(config)#interface fa 0/0
r1(config-if)#ip access-group 1 in
允許 192.168.1.0/24 從 fa 0/0 連入
r1#show access-lists
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255
(有一條隱性的拒絕 deny any)
192.168.1.254 0.0.0.0 可簡寫
host 192.168.1.254
192.168.1.254
0.0.0.0 255.255.255.255 可簡寫
any
套用在VTY Access
r1(config)#line vty 0 15
r1(config-line)#access-class 1 in
可以用Show ip interface fa 0/0可以看介面有沒有套用ACL
R1#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
套用在VTY Access
r1(config)#line vty 0 15
r1(config-line)#access-class 1 in
可以用Show ip interface fa 0/0可以看介面有沒有套用ACL
R1#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
編號型延伸的ACL (100~199)
===================================================
r1(config)#access-list 101 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.00.255 eq 21
r1(config)#access-list 101 deny ip any any
r1#show access-lists
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255
Extended IP access list 101
10 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq ftp
20 deny ip any any
r1(config-if)#ip access-group 101 in
===================================================
r1(config)#access-list 101 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.00.255 eq 21
r1(config)#access-list 101 deny ip any any
r1#show access-lists
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255
Extended IP access list 101
10 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq ftp
20 deny ip any any
r1(config-if)#ip access-group 101 in
命名型標準的ACL
===================================================
r1(config)#ip access-list standard test
r1(config-std-nacl)#deny 192.168.1.10 0.0.0.0
r1(config-std-nacl)#deny host 192.168.1.11
r1(config-std-nacl)#exit
r1(config)#interface fa 3/0
r1(config-if)#ip access-group test out
r1#show access-lists
Standard IP access list test
20 deny 192.168.1.11
10 deny 192.168.1.10
===================================================
r1(config)#ip access-list standard test
r1(config-std-nacl)#deny 192.168.1.10 0.0.0.0
r1(config-std-nacl)#deny host 192.168.1.11
r1(config-std-nacl)#exit
r1(config)#interface fa 3/0
r1(config-if)#ip access-group test out
r1#show access-lists
Standard IP access list test
20 deny 192.168.1.11
10 deny 192.168.1.10
留言
張貼留言